Why Privacy Rights Requests Fall Apart Before They Even Start


I gave up lifting weights for a long time. I’ve been a Peloton rider pre-Covid, and I love starting a morning with yoga (ok, not every morning, but I can tell the difference when I don’t).

Somewhere along the way, the weights just stopped being part of the routine. A few months ago, I started doing them (love my Peloton app for all things exercise), and I noticed a difference pretty quickly. Week after week, I can tell that the reps are working, and I’m stronger (and also sometimes very sore!).

Despite my best efforts, I cannot fully turn my brain off while I exercise. Time exercising is actually when I do some of my clearest thinking. I work through conversations from the week, problems I have been sitting with, or process the various conversations I have had with clients.

This week, a company shared that they had received a privacy rights request and genuinely did not know what to do with it.

That stayed with me through the rest of the workout, because it is not an unusual situation. Most companies that struggle with privacy rights requests are not skipping the whole program. They have a part of it, like the webform, email box, or response templates. Having pieces that are not purposefully connected into a seamless process doesn’t help a company when they get a consumer rights request.

The Ownership Problem Nobody Names

The most common pattern I see is just like the call I had. A deletion request comes in through a form on the company website. Because it came through that channel, it lands with the marketing team. Marketing might just respond directly to the consumer, with or without properly vetted responses or verification methods. Or the marketing team starts asking legal or compliance, “What do I do?” Meanwhile, all that forwarding is using up precious time in the rights request window (typically 45 days in the US and 30 days if global, especially the EU/UK).

Now, a week later, an employee submits a request asking what personal data the company holds about them. It comes through the same website form and also lands with marketing, who now definitely doesn’t know what to do. If there’s no formal policy or process, then that means there was likely no training with teams such as HR to know what to do.

Employee requests operate differently than consumer requests. Once again, legal or compliance needs to get involved, plus HR and maybe even outside counsel, depending on the request and complexity of the situation.

This is the ownership problem. Privacy rights requests cut across multiple parts of an organization. Marketing often controls intake because the form lives on the website. Legal/compliance/privacy (hopefully one of these) owns response language. IT often owns the data systems.

Often, teams have not mapped a shared workflow connecting their piece to the next one. So when a request arrives, it bounces between functions until someone improvises a solution or the deadline passes.

Having a Template Is Not the Same as Having a Process

I run into this situation regularly. A company engaged outside counsel to draft privacy rights response templates, and this is their “Privacy Rights Policy.” Kudos to this company for having a policy and these templates (that are sitting in a folder on a shared drive that most of the relevant team has never opened).

The real problem? Nobody built those templates into a documented procedure or connected them to a workflow. And if there’s no procedure or workflow, that means the teams or people who receive and handle incoming requests don’t know what to do or when. An end-to-end process should cover the inbound process, who and how responses are handled, where to find the templates, how to use them, or even that they exist.

Even for the companies that have purchased a workflow automation solution, we’ve seen cases where there’s just the webform with no workflow behind it. To build the workflow, you have to go through all the same steps.

Companies can’t skip the step of building a process.

Know Where The Data Is

Companies need to know which systems are involved and what data can be provided in an access request or a deletion request. This is why a data inventory is SO important (hint, hint, check out our data inventory materials 👇 or sign up for the next Data Inventory Masterclass). Without it, companies are then first trying to solve for how to honor the privacy requests.

A Policy Without Training Goes Nowhere

Even when a company has a real, documented process that has been reviewed by all the players, like legal, compliance, and/or privacy, and assigned to specific owners, it can still break down if the people responsible for running it were never trained.

The marketing coordinator who receives a webform submission needs to know what a privacy rights request is, what to do in the first twenty-four hours, and who to contact when something falls outside their lane. If it’s an HR request, who does that get routed to? Who does the follow-up internally to ensure it’s done? Who responds to the requestor?

Training closes the gap between a policy and process that lives in a document and one that actually functions.

It does not need to be a long compliance course. It needs to cover what a request looks like, what to do right away, who owns each step, and where to find the templates and procedures. If there’s software involved, the person or team responsible for the software needs to know how it works and how to mark various stages, like review or approve.

Since privacy laws keep passing and changing, companies might change the workflow design, and template responses might change. It’s important to know how the software tool works to make all these adjustments. Don’t forget that people change roles, so having it documented clearly will help with the transition. 

The Rep That Connects Everything

Back to my exercising regimen. What made the difference was not doing everything at once or finding the perfect routine on day one. It was building something connected and showing up for all of it consistently. Each piece supports the next.

Privacy rights programs work the same way. Intake connects to verification. Verification routes to a clear owner who follows documented procedures. The people following the procedures have been trained on them, as well as the software tool, if applicable. Response time is being measured to ensure it goes out on time (the burden of proof is always with the company). And someone knows how to actually honor the request and knows where the data is.

If you’re looking for a practical starting point, download our Red Clover Advisors Privacy Rights Guide. People love how practical our guides are in making privacy operational.

Wishing you workouts where privacy is the last thing on your mind!

Jodi


💡 When you’re ready, here’s how we can help:

⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.

⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program